Adds new CRL distribution points (CDP) for Certification Authority.
Add-CRLDistributionPoint [-InputObject] <CRLDistributionPoint> [-URI] <String> [<CommonParameters>]
Adds new CRL distribution points (CDP) for Certification Authority. This command doesn't change actual settings, but just prepares the CDP URIs.
CDP Extension consist of two URI types:
-for physical CRL file publishing. These URIs are not appeared in the certificate CDP extension.
-for publishing in the certificate/CRL appropriate extensions.
Published URIs are used by certificate chaining engine during certificate revocation status checking. URIs are checked in the same order as they are placed in the certificate's CDP extension until CRL is retrieved. The most accessible URI should be placed first.
This command adds new URIs below existing URIs. It is recommended to specify no more than two CRL location URIs (for Base CRLs). This is because if the first two URIs fails, client will fail revocation checking due of timeout and certificate might be rejected.
Here is an example:
CRL Distribution Point
Distribution Point Name:
In a given example http://eu.company.com/MyCA.crl is processed first. If this URI fails, http://na.company.com/MyCA.crl will be used. If both URIs fails, client application should report 'Revocation offline' error.
Note: If certificate's AIA extension contains OCSP URIs and client application supports OCSP, it is used first. Otherwise CDP extension is used. If all OCSP locations fail, CDP extension is used. In certain cases
applications (for example CryptoAPI) that supports OCSP may elect to ignore OCSP and use CDP extension instead. Thus it is very important to maintain correct and actual URIs in the CDP extension.
Specifies the CRLDistributionPoint object to which add new CRL distribution points. This object can be retrieved by running
|Accept pipeline input??
||true (ByValue, ByPropertyName)
|Accept wildcard characters?
Specifies new CRL file publishing distribution points for particular CA. Must be passed in the following format: <Flags>:<RelativeURI>, where <Flags> is a combination of publishing flags. The following
values are possible for <Flags>:
1 - Publish CRLs to this location.
2 - Include in all issued certificates.
4 - Include in CRLs. Clients use this to find delta CRL locations.
8 - Include in the CDP extension of CRLs.
64 - Publish delta CRLs to this location. Specifies where to publish in AD DS when publishing to LDAP URLs.
128 - Include in the IDP extension of issued CRLs.
Within <RelativeURI> you can use the following variables:
%1 - the CA's computer DNS name.
%2 - the CA's computer NetBIOS name.
%3 - CA's logical name.
%6 - the LDAP path of the forest's configuration naming context for the forest.
%7 - CA's 'sanitized' name. This is the same as CA name but with encoded special characters, such: \/:\*?"<>|.
%8 - the CRL's renewal extension.
%9 - indicates whether Delta CRLs are supported by this CA.
%10 - indicates that the object is CDP object in AD CS.
With Windows CA you should assert %8 variable within URI. This is important when you renew CA's certificate with new key pair. After CA certificate renewal CA server will maintain both CRLs that are signed by previous and renewed CA certificate. To separate
them CA server will include certificate index in the parenthesises. For example you have specified the following URI: 6:http://eu.company.com/MyCA%8.crl
In a given example CA server with initial CA certificate will publish the following URI in the issued certificates AIA extension: http://eu.company.com/MyCA.crl
Once CA certificate is renewed with new key pair, CA certificate will generate new CRLs files with corresponding index and in newly issued certificates the following URI will be published: http://eu.company.com/MyCA(1).crl
Subsequent CA certificate renewals with new key pair will cause URI update accordingly.
Note: Windows PKI supports the following URI formats.
for CRL publishing
for CRL retrieval:
Note: ldap:///<DirectoryAccessProtocolPath> URI type assumes Active Directory usage and must contain forest root domain domain component (DC=...) within LDAP path. This may cause big retrieval delays. Since
Active Directory may contain many domain controllers and specified in LDAP URI content is automatically replicated between all domain controllers in the current forest. To simplify content retrieval from Active Directory CryptoAPI may not contact forest root
domain, but contact nearest to client domain controller. Nearest domain controller is placed in $env:LogonServer system variable (or %LogonServer% in CMD syntax).
Also Windows PKI supports another form of LDAP URIs with host name:
In this case client will not contact domain controller, but specified host directly. Unlike ldap:/// URI form, ldap://<hostname> may use 3rd party LDAP-compatible directory. Automatic content (CA certificate or certificate revocation list) publishing
to such directories is not supported. You will have to manually publish CA certificates to these directories by using external means.
|Accept pipeline input??
|Accept wildcard characters?
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
Author: Vadims Podans
-------------- Example 1 --------------
PS C:\> Get-CertificationAuthority RootCA | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "6:http://crl.domain.com/%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA
This example will add new CDP URI to certificate CDP for 'RootCA' CA server. Also this will add new URI in Freshest CRL in CRL CDP to locate corresponding Delta CRL. After command completion CA services will be restarted to immediately
-------------- Example 2 --------------
PS C:\> Get-CertificationAuthority | Get-CrlDistributionPoint | Add-CrlDistributionPoint -NewURI "65:\\ServerName\crlfile%9.crl", "65:C:\CertData\%3%8%9.crl" | Set-CrlDistributionPoint -RestartCA
This will add new paths for Base and Delta CRL file publication for all CAs in the current forest. This example will not add any new URIs in certificate CDP extension, but instructs CA to publish physical CRL files to the specified
locations. After command completion CA services will be restarted to immediately apply changes.